Here is a bounced message from Eduardo DeCastro [EMAIL PROTECTED]
Here is another take at the application issue:
I totally agree with Morten that this is clearly a quesiton of a technology
looking for a champion, and with Denis that the picture will change
dramatically when broadband becomes comonplace.
My take, though, is that security -specifically, corporate network access-
will be the field where all this starts happening, at least in the US.
There are a number of compelling reasons for this.
Installed reader base is a biggie. Almost nobody has a reader attached to
their computer, and Metcalf's teaches us that the value of any "network" is
proportional to the square of the number of people affiliated to that
network. The old no users - so no apps-so no users. Until that changes,
even superior technology and great ideas (micropayments, digital cash,
next-gen loyalty programs, web "portal" cards, etc.) have a heck on an
uphill struggle.
Counter-intuitive, yes, but look at stuff like QWERTY, magstripes, and good
ol' windows. All of them inferior, all of them wildly popular. There is
some good research on the topic (network externalities, path-dependent
stochastic proceses, etc,). The upside, though, is that when it rains, it
*pours* -look at the net or Linux.
The deal, then, is to make a succesful app. you have to look for pools, or
communities, of users that are willing to roll out the technology *as a
group*, because the benefits the group obtains from the technology
outweights the cost complexity of rolling it out.
That is where corporate network access comes in. They provide exactly this
type of "pool" of users who would obtain sufficient benefits from the
technology to justify rolling it out, even in the absence of everybody else
having card-enbled systems.
The concept is pretty simple; issue everybody who needs access to your
network a cryptographic smartcard that contains an x-509 cert. Then tie
that on the back end to a directory-based (LDAP) authentication mechanism
and, presto!, you have a heck of a valuable system. Friendly to the end
user, vastly simplified network admin, no more forgotten passwords, no more
dictionary cracks, and it enables you to do lots of other useful stuff
(VPNs, digital document signing, whatnot).
As an added plus, this makes the number of card-enabled systems out there
grow. Eventually you'll get a critical mass of enabled machines out there
that will allow other kinds of card-specific apps to become commonplace.
The concept of card and directory-based network logons has been public
knowledge for a while, and the commercialization push is being led by -sigh-
Microsoft, who have made it a central feature of NT 5.
Still, a number of other players (entrust, verisign, the card manufacturers,
a slew of ISVs) are active in this area, and there is definitivelly a role
for the Linux community to play here. After all, Msoft is not the only game
in town (entrust in particular is really solid), and in any case there's
plenty of people who want to access corporate networks using something other
than a windows box.
Some usefull apps can be written here. One really good idea would be a
Linux app. that essentially mimics the NT 5 smartcard logon, so people could
use their smartcard linux box to log in. That would definitively be a
valuable thing to do with the cards. Same thing could be done for other
challenge-response based authentications, VPN protocols, etc. Any one of
those would be a good thing for both the linux community and the smartcard
world (card reader manufacturers, ISVs, etc).
All of this would definitively need to be based on a cryptographic card
(Schlumberger's Cryptoflex and upcoming Cyberflex Access would be good
choices). I am not aware of anybody working on it at this time.
Take it easy,
Eduardo.
[EMAIL PROTECTED]
-Original Message-
From: Morten Norman [EMAIL PROTECTED]
To: [EMAIL PROTECTED] [EMAIL PROTECTED]
Date: Monday, March 01, 1999 11:36 AM
Subject: MUSCLE applications?
I'm just curious...
Are there any people writing PC/SC smartcard *applications* for Linux yet?
My experience from smartcard development, so far, is that some big actor(s)
decides to use the technology. Then they launch "it all": application +
reader + smartcard + infrastructure (card issuing, contracts etc.). PC/SC
and multivendor projects are changing things, but rather slow.
Thus I'm very curious to see how things are going to develop the "Linux
way",
where things more or less grows step-by-step, but fast (if they are
accepted).
Are there any potential killer applications for Linux in the pipeline?
Will we mainly port or adopt things from other platforms, or make new
applications targeted to be accepted by individuals or small groups?
Morten
***
Linux Smart Card Developers - M.U.S.C.L.E.
(Movement for the Use of Smart Cards in a Linux Environment)
